Re: [SC-L] SC-L Digest, Vol 3, Issue 73

2007-04-09 Thread Frederik De Keukelaere 
Brian Chess [EMAIL PROTECTED] wrote on 2007/04/09 13:31:04:

 Hi Frederik, 

Hi Brian,

 You're right that IE does not have the setter methods.  You're also 
right
 that hijacking the Object() or Array() constructor method would be 
enough to
 pull off the attack.  The bad (good?) news is that IE doesn't call those
 methods unless an object is explicitly created with the new keyword. 
We
 got this wrong when we looked at it initially, which is why we said the 
code
 could be ported to IE.  We're going to go back and fix that in the 
paper.

Thanks for your reply. Since there is much more to JavaScript than that I 
originally anticipated, I thought we missed something in our experiments.
 
 Of course, any JavaScript data transport format that explicitly calls a
 function is vulnerable in all browsers.  Over the last week or two I've 
been
 learning that people are moving data around using a lot more than just 
JSON,
 though JSON is the clear front-runner.

Would you mind sharing the different data formats you came across for 
exchanging data in mashups/Web 2.0? Considering the challenges you 
recently discovered, it might be good to have such an overview to look at 
it from a security point of view.
 
 Brian

Frederik

---
Frederik De Keukelaere, Ph.D.
Post-Doc Researcher
IBM Research, Tokyo Research Laboratory___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___

Re: [SC-L] JavaScript Hijacking

2007-04-06 Thread Frederik De Keukelaere 
Hi Brian, Hi Stefano, 

snip
 
 Ok I see the difference. 
 You are taking advantage of a pure json CSRF with a evil script which
 contains a modified version of the Object prototype.
 And when the callback function is executed you use a XMLHttpRequest in
 order to send the information extracted by the instantiated object.

In the beginning of the paper there was a comment that the code that was 
presented was designed for use in Firefox but could be ported to IE or 
other browsers. However, since IE does not seem to have the setter methods 
(correct me if I am wrong), I did not quite find a way to achieve this in 
IE. 
We tried several things such as replacing Array and Object constructor as 
well as as overriding eval, neither of which worked. Do you have any 
suggestions about how to port this attack to IE?

Btw, thanks for the papers.

Kind Regards,

Fred

---
Frederik De Keukelaere, Ph.D.
Post-Doc Researcher
IBM Research, Tokyo Research Laboratory___
Secure Coding mailing list (SC-L) SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
___